The Alabama Personal Data Protection Act (APDPA): A Guide for Website Owners

Alabama is the latest U.S. state to enact comprehensive data privacy legislation. The Alabama Personal Data Protection Act (APDPA) was passed by the Alabama Legislature on April 7, 2026, and takes effect on May 1, 2027.

For website owners already familiar with privacy laws in states like Virginia, Texas, or, more recently, Oklahoma, Alabama's framework will look broadly familiar: an opt-out model for most data uses, consent required for sensitive data, and enforcement through the state's Attorney General.

But the APDPA has features that make it wider in reach and stricter in places than many of its peers. The applicability threshold is set at just 25,000 consumers, meaning many small and mid-sized websites with Alabama audiences will need to take the law seriously. 

Its definition of "selling" personal data is broader than most. It explicitly requires you to let users revoke their consent. And it adds opt-in consent requirements for 13- to 15-year-olds, not just parental consent for minors under 16, like many other comparable laws.

What Is the Alabama Personal Data Protection Act?

The Alabama Personal Data Protection Act is a state-level data privacy law that gives Alabama residents rights over their personal data and sets out rules for businesses that collect, use, and share it. Its official name comes from Section 1 of the enrolled act, House Bill 351.

The law follows the same opt-out structure used by most U.S. state privacy laws. In most circumstances, you don't need to ask for permission before collecting personal data. But you must give people a clear, accessible way to object to specific uses like data sales and targeted advertising, and you must tell them what you're doing with their information. For sensitive categories of data, prior consent is required.

Key Definitions the APDPA Uses

The APDPA's definitions, which are set out in Section 2, determine what it covers and who it applies to. Several are worth examining closely.

Personal Data

The APDPA defines personal data as "any information that is linked or reasonably linkable to an identified or identifiable individual." This covers most data that websites routinely collect, including names, email addresses, IP addresses, cookie identifiers, and behavioral tracking data. It excludes de-identified data and publicly available information.

Sensitive Data

Sensitive data gets extra protection under the APDPA. Before collecting or processing it, you need to get the person's affirmative consent. The law defines sensitive data as revealing:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnosis
• Sex life or sexual orientation
• Citizenship or immigration status
• Genetic or biometric data processed to uniquely identify someone
• Personal data collected from a known child (under 13)
• Precise geolocation data (within a 1,750-foot radius)

Biometric Data

The APDPA defines biometric data as measurements of biological characteristics like fingerprints, voiceprints, retinas, or irises "used to identify a specific individual." 

Photographs, videos, and audio recordings are excluded, "unless the data is used to identify a specific individual." If you're processing images or audio specifically to recognize and identify individuals, that data is in scope.

Consumer

The law applies to consumers, i.e., Alabama residents acting in a personal or household context. It does not cover people acting in a business or employment capacity.

Sale of Personal Data

The APDPA's definition of "sale" is broader than most comparable state laws. It covers not just monetary exchanges but also exchanges for "other valuable consideration" where the controller receives a material benefit and the third party is not restricted in its subsequent use of the data. Some data-sharing arrangements that wouldn't count as a "sale" in other states might qualify in Alabama. Specific exclusions apply, including:

• Sharing data with vendors processing it on your behalf
• Disclosures to fulfill a consumer-requested service
• Transfers to affiliated companies
• Analytics service disclosures
• Marketing service disclosures made solely for the controller's own benefit

Targeted Advertising

Targeted advertising under the APDPA means serving ads based on a person's behavior across different, unaffiliated websites or apps over time. Contextual ads that are based on what the user is currently viewing are not covered. Neither are ads based on activity within your own website.

Consent

The APDPA requires consent to be "a clear affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement." Passive actions don't count. This includes actions like hovering over content, muting a video, or clicking through a terms of use page is not valid consent. 

Consent obtained through dark patterns is also explicitly excluded. A cookie banner that pre-ticks boxes or buries opt-out options doesn't meet this standard.

Does the APDPA Apply to Your Website?

Section 3 of the APDPA covers businesses that conduct business in Alabama, or produce products or services targeted to Alabama residents, if they meet at least one of the following:

• Process personal data of more than 25,000 Alabama consumers (excluding data processed solely to complete a payment transaction), or
• Derive more than 25 percent of gross revenue from the sale of personal data

The 25,000-consumer threshold is significantly lower than the 100,000-consumer threshold used in several other states’ privacy laws. A regional e-commerce site, a B2B SaaS product with an Alabama customer base, or a mid-sized publisher with Alabama readers could easily clear this bar.

There's no minimum annual revenue floor. Under the APDPA, a smaller business that processes data from more than 25,000 Alabama residents is in scope.

Who Is Exempt?

Several categories of business are not covered by the APDPA:

• Businesses with fewer than 500 employees: as long as they don't sell personal data
• Nonprofits with fewer than 100 employees: as long as they don't sell personal data
• Financial institutions covered by the Gramm-Leach-Bliley Act (GLBA)
• HIPAA-covered entities and business associates
• Higher education institutions (two-year and four-year colleges and affiliates)
• Political organizations, PACs, and political parties ( and businesses that sell data primarily to them)
• State and local government bodies

Data-level exemptions also apply: HIPAA health data, FERPA student records, FCRA credit data, employee and contractor data, and emergency contact information are all outside the APDPA's scope.

If you're a smaller business wondering whether the employee-count exemption applies, pay close attention to whether any third-party data-sharing arrangements constitute a "sale" under the APDPA's definition. That exemption disappears the moment data sales are involved.

What Rights Do Alabama Residents Have?

Under Section 5 of the APDPA, Alabama consumers can submit requests to exercise the following rights:

• Right to access: Confirm whether you're processing their data and receive a copy of it
• Right to correct: Ask you to fix inaccuracies in their personal data
• Right to delete: Request deletion of their personal data
• Right to portability: Receive their data in a portable, machine-readable format where automated processing is involved
• Right to opt out: Of targeted advertising, data sales, and automated profiling that leads to significant decisions, such as those affecting credit, housing, insurance, employment, or healthcare
• Right to nondiscrimination: Businesses cannot penalize a consumer for exercising their rights

Parents and guardians can exercise rights on behalf of children and other consumers in their care. There is no private lawsuit right (private right of action) under the APDPA.

How Must You Respond to Consumer Requests?

Section 5(d) sets the response rules. Respond within 45 days of receiving the request. If you need more time, a further 45-day extension is available, but you must tell the consumer within the initial 45 days. Responses are free of charge, once per 12-month period per consumer.

If you decline a request, you must tell the consumer why and provide an appeal process. If the appeal is denied, direct the consumer to the Alabama Attorney General. You cannot require consumers to create a new account just to submit a request.

Consent, Revocation, and Teen Protections

The APDPA's consent framework differs depending on the type of data being processed and the age of the consumer. Three distinct consent requirements apply. 

It’s also important to note that the APDPA does not require recognizing Global Privacy Control (GPC) or other opt-out mechanisms.

Sensitive Data Requires Prior Consent

For most personal data, the APDPA uses an opt-out model. But for sensitive data, you need affirmative consent before you start, which is common across U.S. privacy laws. That means your cookie consent setup needs to ask permission before processing precise location data, health information, or biometric data.

Consent Can Be Revoked and You Must Respect That

Section 7(a)(3) requires controllers to provide "an effective mechanism for a consumer to revoke the consumer's consent under this act that is at least as easy as the mechanism by which the consumer provided the consumer's consent." Once revoked, you must stop processing that data no later than 45 days after receiving the opt-out request.

In practical terms, if your consent banner allowed a consumer to opt in with two clicks, the opt-out path cannot be any more difficult than two clicks.

Teenagers Aged 13 to 15 Need Opt-In Consent

Section 7(b)(4) of the APDPA prohibits processing personal data for targeted advertising or selling personal data when the controller has actual knowledge that the consumer is at least 13 but younger than 16 years of age, unless the controller has obtained that consumer's consent. If your platform or website serves teenagers, review how you handle data for this age group before May 1, 2027.

Children Under 13

Personal data of a known child (under 13 years old) is classified as sensitive data, requiring parental consent before collection or processing. Section 4(c) provides that compliance with the federal Children's Online Privacy Protection Act (COPPA)'s verifiable parental consent requirements satisfies the APDPA's parental consent obligation.

What Your Website Needs to Have in Place

The APDPA sets out specific operational requirements for businesses in scope. The following areas need to be addressed before the law takes effect on May 1, 2027.

A Clear and Accurate Privacy Notice

Your privacy notice must include: 

• Categories of personal data you process
• Purposes for processing
• Categories shared with third parties and who they are
• Whether you sell data or use it for targeted advertising
• Contact email or mechanism
• How consumers can exercise their rights, including a link to your opt-out mechanism
• “Clear and conspicuous disclosure” if you sell data or use it for targeted advertising

An Opt-Out Link on Your Website

Section 6 requires controllers to provide a "clear and conspicuous link" on their website to a page where consumers can opt out of targeted advertising and data sales, or contact information through which they can submit an opt-out request.

A Consent Revocation Mechanism

Your consent management setup must allow consumers to revoke consent as easily as they gave it. Once revoked, processing must stop within 45 days.

Processor Agreements

If you share personal data with any third-party vendors — advertising platforms, analytics tools, email providers, etc. — those relationships need to be governed by a written contract setting out the nature, purpose, duration, and scope of data processing, with requirements for confidentiality and equivalent obligations on any sub-vendors.

Dark Pattern Compliance

The APDPA explicitly prohibits consent interfaces designed to "substantially subvert or impair user autonomy, decision-making, or choice." No pre-ticked opt-in boxes, no misleading button labels, no hidden opt-out flows, and no unnecessary friction in the consent revocation path. Review your cookie banner and privacy settings carefully.

APDPA Enforcement

Enforcement is the exclusive responsibility of the Alabama Attorney General. There is no private right of action for consumers.

Before bringing an enforcement action, the Attorney General must issue a notice of violation. The controller then has 45 days to fix the problem. If the violation is corrected and the controller provides a written statement confirming correction and no further violations, no action may be initiated. The 45-day cure period is permanent.

If the violation is not corrected, courts can assess civil penalties of up to USD 15,000 per violation. This is double the USD 7,500 cap used in states like Virginia, Texas, and Oklahoma.

How the APDPA Differs from Other U.S. State Privacy Laws

• Lower consumer threshold: 25,000 consumers, vs. 100,000 in a number of other states
• Lower revenue trigger: 25 percent of gross revenue from data sales, vs. 50 percent in most comparable states
• No minimum revenue floor: No annual revenue threshold, e.g., like the USD 25 million requirement in California
• Small business exemption: Businesses under 500 employees that don't sell data are exempt
• Broader "sale" definition: Covers non-monetary exchanges where the controller receives material benefit and the recipient has unrestricted use of the data
• Consent revocation: Explicitly required, with a 45-day processing deadline
• Teen protections: Opt-in consent required for targeted advertising and data sales involving known 13- to 15-year-olds
• Higher penalties: USD 15,000 per violation, vs. USD 7,500 in many comparable states
• Permanent cure period: The 45-day cure window doesn't expire